File: README

About

This plugin is an access control system that allows you to add logic to your roles. A role is not just a static string, instead it‘s a piece of executable code. This allows you to add smart and context aware roles such as Owner or Creator.

The system also supports restricting access to a url. Example:

 link_to_if_authorized("Hello", { :action => :index })
 link_to_if_authorized("People", people_url)

 access_authorized_to_url?("http://example.com/users/1/edit")
 access_authorized_to_url?("http://example.com/users/1/edit",
                           html_options, user)

This is great if you wish remove/simplify access control logic from/in your views. Simply use access_authorized_to_url? in your view helpers.

Install

Get the plugin

 script/plugin install http://svn.redpill.se/rails_plugins/redpill_access_control
 If you install the plugin manually don't forget to run install.rb

Create the Authorizations table

 script/generate migration create_authorizations

 class CreateAuthorizations < ActiveRecord::Migration
   def self.up
     create_table :authorizations do |t|
       t.string   "role"
       t.integer  "user_id"
       t.timestamps
     end
   end

   def self.down
     drop_table :authorizations
   end
 end

Add "include Redpill::AccessControl::Object" to your application controller.

 class ApplicationController
  include Redpill::AccessControl::Object
 end

 Most likely you want to implement permission_denied() and perhaps even
 permission_granted() in your application controller.

 Example:
 def permission_denied
  logger.info("Permission denied to %s at %s for %s" % [current_user,
                                                        Time.now,
                                                        request.request_uri]) if current_user
  flash[:notice] = "You don't have access to this action."
  respond_to do |format|
   format.html { redirect_back_or_default('/') }
   format.js {render :template => 'shared/access_denied.rjs'}
  end
 end

 def permission_granted
  logger.debug("Permission granted to %s at %s for %s" % [current_user,
                                                          Time.now,
                                                          request.request_uri]) if current_user
 end

Add "include Redpill::AccessControl::Subject" to your user model.

  class User
   include Redpill::AccessControl::Subject
  end

 Make changes to models/authorization.rb if you like to.

Create roles using generator:

 script/generate role User
 script/generate role Manager

Create dynamic roles:

 This example role is called Owner. An owner is defined as a user that
 belongs_to a resource.
 The context in the example below is the controller instance.
 It assumes that you have instance methods called :current_user and
 :current_resource in your controller.

 module Roles
  module Owner
   def self.validate(context)
    user = context.send(:current_user)

    resource = context.send(:current_resource) if context.respond_to?(:current_resource, true)
    user.extend(Roles::Owner) if resource.respond_to?("owner") && resource.owner == user

    user.is_a? Roles::Owner
   end
  end
 end

Usage

Add access rules to your controllers with "restrict_access_to":

 # Will restrict access to all actions, must be Administrator
 restrict_access_to(Roles::Administrator)

 # Only Administrator can access :destroy action
 restrict_access_to(Roles::Administrator, :on => :destroy)
 restrict_access_to(Roles::Administrator, :action => :destroy)

 # Only Manager can access :update and :edit actions
 restrict_access_to(Roles::Manager, :on => [:update,:edit])
 restrict_access_to(Roles::Manager, :action => [:update,:edit])

There is no difference between :on and :action options, only syntax sugar and decision anxiety.

Use access_authorized_to_url? in your view helpers:

 def menu_item(name,url)
  return unless access_authorized_to_url?(url,{})
  "<li>#{name}</li>"
 end